[f-nsp] [4G SSL] ACLs flow-based Vs rule-based

Youssef Ghorbal Youssef.Ghorbal at netplus.fr
Fri May 1 15:49:43 EDT 2009


the 4G SSL is running ver 11.0.00aTI4

Youssef Ghorbal
------------------------------------
On May 1, 2009, at 3:59 PM, Ryan DeBerry wrote:

> What version of code are you running?
>
> On Fri, May 1, 2009 at 12:44 PM, Youssef Ghorbal <Youssef.Ghorbal at netplus.fr 
> > wrote:
> Hello,
>
>        We are migration a ServerIronXL to a 4G SSL box. Both act in  
> L3 mode (they are "routers" and not "switchs")
>        In the ServerIronXL we used to have an ACL on the uplink  
> interface of the box. Something like :
>
>        interface ethernet 1
>        ip access-group ALL-IN in
>
>        The ACL is applied on the ethernet interface and not on VE.
>        In the 4G SSL box, the ip access-group command does not exist  
> in the "interface ethernet 1" context. But does in the VE context  
> (ip interace ve 1)
>        It seems that ACLs apply per VLAN bases now.
>
>        Also, in the documentation, a disctinction is made between  
> flow-based ACLs and rule-based ACLs but I can't see the reel  
> difference between the two. In which case is it usefull to do flow- 
> based ACLs and in which it doesn't.
>
>        My problem is this :
>        In the past we used to have a "big" ACL applied on the uplink  
> port. The big ACL contains rules regarding all subnets (VEs)  
> configured on the ServerIronXL
>        On the 4G SSL, ACLs are applied on VE basis. And I have to  
> choose to use rule-based or flow-based ACLs.
>
>        Should I keep the big ACL and apply it to all VE interfaces ?
>        Should I make an ACL per VE ? (devide the big ACL in little  
> ones)
>        Should I activate flow-based ACLs or rule-based ones ? It  
> would be nice if someone can explain me the exact difference between  
> them.
>
> Regards,
> Youssef Ghorbal
>
>
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> <ATT00001.txt>




More information about the foundry-nsp mailing list